Founder, BeforeCrypt GmbH – The Leading Ransomware Experts In Europe
Getty
Recently the White House issued an open letter calling on businesses to improve their cyber defenses in response to ransomware — and not a moment too soon.
Ransomware has been getting worse for some time. A recent survey found that 51% of businesses in America were hit by ransomware in 2020, with an average ransom demand of $178,000. An estimated 25% of victims chose to pay the ransom.
As bad as it is, it’s poised to get worse. Hackers seem to be emboldened by their success and are growing more ambitious with time. The most dramatic example of this trend was the shutdown of the Colonial pipeline (paywall) in May, leading to fuel shortages across the Eastern seaboard. In June, JBS, the country’s largest meat producer, saw its operations crippled, leading to meat shortages. It seems like no one is safe; even hospitals and schools are regularly targeted.
The digitization of our lives was already moving at bewildering speed before the Covid-19 pandemic began. With the lockdowns, this transition has gone into overdrive, and with increased reliance on the internet comes increased vulnerability.
We’ve entered a new paradigm, but most of us haven’t realized it yet. The emergence of decentralized digital currencies has added a new dimension to cyberspace, and there’s no going back. This is a sink-or-swim moment; adapting to this new reality is not optional.
If you look through the comments sections on news articles about ransomware, you can see people starting to call for military solutions to the crisis. As satisfying as it might be to imagine a black ops team bringing rough justice to a gang of cyber extortionists, I believe this is unrealistic and simply won’t work.
Ransomware is not going to go away, no matter how many hackers are locked up. Crimes of this nature are an inescapable part of the rise of the internet of money. It’s time to wake up and smell the coffee.
Although I don’t advocate military action as a solution to ransomware, this reaction is understandable. Hostile foreign powers with political agendas can shelter ransomware hackers. These hackers then target businesses that form the bedrock of our economy. In a way, business owners are on the front lines of an emerging war in cyberspace.
In the letter (paywall) issued by the White House, Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, outlines some practical steps business leaders can take to improve security. These measures include implementing multi-factor authentication, endpoint detection and encrypting file systems.
In the short-term, these are important and much-needed steps. In the long-term, however, we need a fundamental shift in the way we think about cybersecurity, and this has to come from the bottom up.
There is a pervasive idea among non-technical business people that cybersecurity can be “outsourced.” That may have been the case in the past, but we can no longer depend on the “tech guy” alone to keep our networks safe. A chain is only as strong as its weakest link. This is especially true as social engineering and phishing attacks are deployed in more and more ransomware attacks.
This is an ongoing arms race, and the only way to mount a sustainable defense in the long-term is to normalize cybersecurity awareness. We need to start thinking about cybersecurity skills as foundational to a well-rounded education, similar to reading, writing and arithmetic in classical schooling models.
For the time being, the recommendations in Neuberger’s letter are a good start, but this is not enough. The business community, and small and medium business owners especially, may need extra support to adjust to the “new normal” of heightened risk of cybercrime.
Small and medium businesses are a common target of ransomware attacks and are often the least able to adapt. In many cases, these businesses do not have the resources to do things like organize phishing awareness workshops for employees, upgrade legacy servers or restructure their backup procedures.
This can’t be a one-off effort. It requires a fundamental restructuring of the way we do business. The threat actors in this space are often highly adaptable, and they respond quickly to countermeasures. Regular cybersecurity training needs to become a continuous part of our work routine.
At present, I believe cybersecurity education is not getting the attention it deserves, and small investments in this area could yield big dividends in the future. The old saying that “an ounce of prevention is worth a pound of cure” is especially poignant in this context.
Consider the scope of this problem. It’s estimated that the damage caused by cybercrime worldwide in 2021 will exceed $1 trillion, with 38% of that targeting the U.S. By comparison, the damage caused by natural disasters nationwide in 2020 was estimated at around $95 billion.
In purely monetary terms, cybercrime is causing more damage than natural disasters, but the government’s budget priorities have not yet caught up to this reality. At present, the National Institute for Standards and Technology (NIST) is the main governmental body responsible for supporting cybersecurity in the private sector. The entire budget for the NIST in 2021 was just over $1 billion, while the FEMA budget for 2021 was set at $28 billion.
The government can and should be an important partner in supporting cybersecurity efforts in the private sector, but ultimately, mounting an effective response to this threat must be a grassroots, citizen-led effort. We have the power and the responsibility to rise to this challenge. It’s time for people from all walks of life, and business leaders in particular, to buckle down and start educating themselves about cybersecurity.
With our schools, hospitals and critical infrastructure facing direct threats, cultivating cybersecurity skills and awareness should be viewed as civic duty. Ransomware threatens all of us and all types of companies, whether we realize it or not. Do your part to contain its spread.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
